Using Regedit to Edit the Windows Vista Registry

If you ever need to edit the Vista Registry by hand, Regedit is the tool. It's not without its dangers, however. Robert Cowart and Brian Knittel cover the basics of the Registry editor to help get you started.

This chapter is from the book

This chapter is from the book

Most people never need to edit the Registry by hand because most Registry keys are set by the software that uses them. For example, Microsoft Office sets its own preference values, and the Control Panel applets set the appropriate Display, Sound, and Networking Registry entries. In a way, the Control Panel is mostly just a Registry editor in disguise.

However, you might need to edit the Registry by hand if you're directed by a technical support person who's helping you fix a problem, or when you're following a published procedure to make an adjustment for which there is no Control Panel setting.

In the latter case, before going any further, I need to say this one last time, to make it absolutely clear: Unless you're quite certain that you can't make a mistake, back up the Registry (or at least the section you want to change) before making any changes.

The next few sections cover the basics of the Registry editor.

Viewing the Registry

The Registry editor doesn't have a Start menu item. The easiest way to run it is to type regedit into the Search field on the Start menu. When regedit appears in the results pane under Programs, take one of the following actions, depending on your needs:

If you are logged on as an Administrator, press Enter or click regedit. When the User Account Control dialog box appears, click Continue. The Registry editor will run with full elevated privileges.

If you are not logged on as an Administrator but need to change settings in only the HKEY_CURRENT_USER section of the Registry, press Enter or click regedit. The Registry editor will run with reduced privileges, and you will not be able to change systemwide settings.

If you are not logged on as an Administrator but need to change systemwide settings in HKEY_LOCAL_MACHINE, right-click regedit and select Run as Administrator. Enter an Administrator account's username and password. The Registry editor will then run with full elevated privileges.

NOTE

The reason for these complicated variations is that malicious programs and email attachments can easily abuse the Registry editor, so it's subject to User Account Control restrictions, for good reason. The editor must be running in elevated mode to modify Registry keys that are secured to be changeable only by the Administrator. By the way, there is no indication in the Registry editor's title bar to tell whether it's running with elevated privileges—you just have to remember.

Regedit displays a two-pane display much like Windows Explorer, as shown in Figure 31.2. The top-level keys, which are listed below Computer, can be expanded just like drives and folders in the Explorer. In the pane on the right are the values for each key. The name of the current selected key appears in the status bar.

Figure 31.2 The Regedit screen shows keys on the left and values on the right.

Values have names, just as the files in a folder do, and it's here that configuration information is finally stored. Each key has a (Default) value, which is the value of the key itself, and any number of named values. For example, Figure 31.2 shows the key HKEY_CURRENT_USER\Desktop. The value of HKEY_CURRENT_USER\Desktop itself is undefined (blank), and the value HKEY_CURRENT_USER\Control Panel\Desktop\DragFullWindows is 1.

Registry values have a data type, which is usually one of the types shown in Table 31.2. The Registry editor display lists values by their technical names.

Table 31.2. Data Types Supported by Regedit

Technical Name

"Friendly" Name

Description

REG_SZ

String value

Textual information, a simple string of letters.

REG_BINARY

Binary value

Binary data, displayed as an arbitrary number of hexadecimal digits.

REG_DWORD

DWORD (32-bit) value

A single number displayed in hexadecimal or decimal.

REG_QWORD

QWORD (64-bit) value

A single number displayed in hexadecimal or decimal. QWORD values are used primarily by 64-bit Windows applications.

REG_MULTI_SZ

Multistring value

A string that can contain more than one line of text.

REG_EXPAND_SZ

Expandable string value

Text that can contain environment variables (such as %TEMP%).

Other data types, such as REG_DWORD_BIG_ENDIAN and REG_RESOURCE_LIST, exist, but they are obscure and rare and can't be edited with Regedit.

Searching in the Registry

You can search for a Registry entry by key name, value name, or the contents of a value string. First, select a starting point for the search in the left pane. You can select Computer to select the entire Registry, or you can limit your search to one of the top-level keys or any subordinate key. Next, select Edit, Find from the menu and enter a search string in the Find dialog box. The Find feature is not case-sensitive, so upper- and lower-case don't matter. You can check any of the Look At boxes, shown in Figure 31.3, to designate where in the Registry you expect to find the desired text: in the name of a key, in the name of a value, or in the data, the value itself.

Figure 31.3 In the Find dialog box, you can choose whether to search key names, value names, or value data.

Check Match Whole String Only to search only for items whose whole name or value is the desired string.

NOTE

Most of the time, I check all the Look At boxes except Match Whole String Only.

Select Find Next to start the search. The Regedit display indicates the first match to your string; by pressing F3, you can repeat the search to look for other instances.

TIP

The search function has two limitations:

You can't enter a backslash (\) in the search string when looking for a key or value name; Regedit won't complain, but it won't find anything, either.

You can't search for the initial HKEY_xxx part of a key name. That's not actually part of the name; it's just the section of the Registry in which the key resides.

For example, to find a key named HKEY_CLASSES_ROOT\MIDFile\shell\Play\Command, you can't type all that in and have Find jump right to the key. If you already know the full pathname of a key, use the left pane of Regedit to browse for the key directly.

Also remember that Windows Vista might store information in some places you are not familiar with.

Editing Keys and Values

Regedit has no Save or Undo menu items. Changes to the Registry happen immediately and permanently. Additions, deletions, and changes are for real. This is the reason for all the warnings to back up before you poke into the Registry.

Adding a Value

To add a value to a key, select the key in the left pane and choose Edit, New. Select the type of value to add; you can select any of the supported Registry data types, which are listed by the "friendly" names shown previously in Table 31.2. The instructions you're following indicate which type of value to add. A new value entry then appears in the right pane, as shown in Figure 31.4.

Figure 31.4 New Value adds an entry in Rename mode. Type the correct name and then press Enter.

Enter the new value's name and press Enter to edit the value.

For string values, enter the text of the desired string.

For DWORD values, choose Decimal or Hexadecimal, and enter the desired value in the chosen format (see Figure 31.5).

Figure 31.5 You can choose to enter a DWORD value in either decimal or hexadecimal notation.

For binary values, enter pairs of hexadecimal characters as instructed. (You'll never be asked to do this, I promise.)

Changing a Value

If you want to change a value, double-click it in the right pane to bring up the Edit Value dialog box. Alternatively, right-click it and select. Then make the desired change and click OK.

NOTE

Many of the keys that control Windows itself have access restrictions and can be modified only by an Administrator.

That is all you will likely ever need to do with Regedit. However, in the extremely unlikely case that you want to delete a value or add or remove a key, the following sections can help see you through these processes.

Deleting a Value

If you've added a Registry value in the hope of fixing some problem and found that the change wasn't needed, or if you're instructed to delete a value by a Microsoft KnowledgeBase article or other special procedure, you can delete the entry by viewing its key and locating the value on the right pane.

Select the value and choose Edit, Delete from the menu, or right-click and select Delete from the context menu. Confirm by clicking OK.

CAUTION

There is no Undo command in the Registry editor—when you delete a value, it's gone for good. Be sure you've made a Registry backup before editing or deleting Registry keys and values.

Adding or Deleting a Key

Keys must be added as subkeys of existing keys; you can't create a new top-level key. To add a key, select an existing key in the left pane and select Edit, New, Key from the menu.

Alternatively, right-click the existing key and select New, Key from the context menu. A new key appears in the left pane, where you can edit its name, as shown in Figure 31.6. Press Enter after you enter the name.

You can delete a key by selecting it in the left pane and choosing Edit, Delete from the drop-down menu, or by right-clicking it and selecting Delete from the context menu. Click OK to confirm that you intend to delete the key. Deleting a key deletes its values and all its subkeys as well, so without the protection of Undo (or a Registry Recycling Bin), this action is serious.

Renaming a Key

As you have probably guessed, the pattern for renaming a key follows the Explorer model exactly: Choose the key in the left pane and select Edit, Rename, or right-click the key and select Rename. Finally, enter a new name and press Enter.

CAUTION

Don't attempt to rename keys without a very good reason, such as because you mistyped the name of the key you were adding. If Windows can't find specific Registry keys it needs, Windows might not boot or operate correctly.

Using Copy Key Name

As you have probably noticed by now, the names of Registry keys can be quite long, tortuous things. The Registry editor offers a bit of help to finger-fatigued Registry editors (and authors): Choosing Edit, Copy Key Name puts the name of the currently selected key into the Clipboard so you can paste it elsewhere if you need to. For example, when you've found a neat Registry trick, you might want to email your friends about it.

Advanced Registry Editing

The Registry editor has some advanced features that you'll need only if you're managing a network of Windows computers or if you run into serious problems with your Windows installation.

TIP

One advanced feature is the Favorites list. You can create bookmarks for Registry keys that you visit frequently. Simply locate the key of interest and click Favorites, Add to Favorites. You can change the name of the bookmark, if desired. Then press OK to create the Favorite. Later, you can select the entry from the Favorites menu to jump right to the desired Registry key.

We discuss several advanced techniques in the following sections.

Editing the Registry of a Remote Computer

The Registry editor permits Administrators to edit the Registry of other computers on a network. Of course, this operation is highly privileged; you must have Administrator privileges on the computer whose Registry you want to edit, and the Remote Management service must be running on the remote computer.

To edit a remote computer's Registry, choose File, Connect Network Registry. Next, enter the name of the remote computer, or click Advanced and then Find Now to select one graphically; then click OK.

When you're connected, the computer's Registry keys appear in the list along with your own, as shown in Figure 31.7.

If you want to connect to the Registry on another computer, the Remote Registry service must be running. On Windows XP, this service is enabled by default. On Windows Vista, it is not. You must change the service's startup mode from Manual to Automatic, or you must use Windows management tools to start the service on the other machine before you can edit its Registry remotely.

Note that only the two main "real" top-level keys appear: HKEY_LOCAL_MACHINE and HKEY_USERS—the virtual keys do not. When you have finished editing the remote computer's Registry, right-click its name in the left pane and select Disconnect.

CAUTION

You can't use File, Export or File, Import to save or load a remote Registry's values. These commands might appear to work, but they operate only on the local computer's Registry.

NOTE

The Remote Registry editing system uses TCP port 139, so before you can connect to a computer whose Registry you wish to edit, that computer must have an exception in Windows Firewall for Windows File and Printer Sharing. On Windows XP, File and Printer sharing is an item in the firewall's Exceptions list. On Windows Vista, you must enable File Sharing on its Network and Sharing Center, and you must also enable Remote Management on its firewall Exceptions tab.

On both Vista and XP, you must also enable the Remote Registry service. It's set to "manual" startup by default, so you must change the service's setting to Automatic and start it on each computer that you want to manage remotely.

Finally, you may not be able to edit the HKLM registry section of a computer on which User Account Control is enabled.

Editing Registry Entries for Another User

If you open a Registry editor and look under HKEY_USERS, you will find that the only available subkeys are .DEFAULT, three or more entries for system services, and your own long, numeric subkey, which is also accessible as HKEY_CURRENT_USER. As I mentioned earlier, Windows stores various parts of the Registry in data files called hives and loads the hive containing your part of HKEY_USER only when you are actually logged on. When you log out, your subkey is unloaded from the Registry, and the hive file is left in your user profile folder. (If you have a roaming user profile, your profile folder is copied back to the domain server. That's how your preference settings follow you from one computer to another.)

As an administrator, you might find it necessary to edit HKEY_USER entries for another user. For example, a startup program in HKEY_CURRENT_USER\Software\Windows\CurrentVersion\Run might be causing such trouble that the user can't log on. If you can't log on as that user, you can edit his HKEY_CURRENT_USER Registry keys in another way:

Log on as an Administrator and run Regedit.

Select the HKEY_USERS window.

Highlight the top-level key HKEY_USERS.

Select File, Load Hive.

Browse to the profile folder for the desired user. For a local user account, this is in \Users\username. (For a Windows Server domain, look in the folder used for user profiles on the domain controller.) The folder name of this folder might have the computer name or a domain name attached. For example, on one computer, my profile folder name is bknittel.java.

Type the filename NTUSER.DAT. (The file will most likely not appear in the Browse dialog box because it's super hidden: marked with both the Hidden and System attributes.) Then click Open.

A dialog box appears, asking you to enter a name for the hive. HKEY_USERS normally loads user hives with a long numeric name, so I suggest that you type the user's logon name. Click OK. The user's Registry data is then loaded and can be edited, as shown in Figure 31.8.

Figure 31.8 An offline user's Registry hive is now loaded and can be edited.

Editing Registry Entries for Another Windows Installation

If you need to retrieve Registry entries from an installation of Windows 2000, XP, or Vista on another hard disk or partition, you can load any of that installation's hive files for editing or exporting. This might happen when you do one of the following:

Install a new hard disk and install Windows Vista on the new disk, leaving your old installation intact.

Encounter a severe Registry error that prevents Windows from booting at all. If you can't use the usual recovery procedure to fix the problem, you can install a fresh copy of Windows onto another drive or partition. When you boot up that copy of Windows, you can load the original installation's Registry files for editing. Then, you can try to boot up the original installation.

To edit the other installation's Registry, you need to locate its hive files. They are usually found in the locations shown in Table 31.3.

Table 31.3. Usual Location of Hive Files

Key

Default Location and Hive File

HKEY_LOCAL_MACHINE\SAM

\windows\system32\config\sam

HKEY_LOCAL_MACHINE\Security

\windows\system32\config\security

HKEY_LOCAL_MACHINE\Software

\windows\system32\config\software

HKEY_LOCAL_MACHINE\System

\windows\system32\config\system

HKEY_LOCAL_MACHINE\Components

\windows\system32\config\components

HKEY_USERS\.Default

\windows\system32\config\default

To edit another Windows installation's Registry, use the technique I described under "Editing Registry Entries for Another User." But instead of locating a user's NTUSER.DAT file, locate the desired hive file on the other hard drive or partition. Unload it after you've exported or corrected the desired information.

In some cases, you will find that you cannot view or modify keys loaded from another installation. This occurs if the keys are protected with security attributes that list specific users or groups defined in the other installation. In this case, you need to first take ownership of the keys and then add yourself as a user who is authorized to read or change they keys. The next section describes this.

Editing Registry Security

Just as files and folders in an NTFS-formatted disk partition have security attributes to control access based on user and group identity, Registry keys and values also have a complete set of Access Control attributes that determine who has rights to read, write, and modify each entry. For example, the Registry keys that control system services can't be modified by non-Administrator users; otherwise, malicious programs or users could conceivably make the entries refer to programs of their choosing, which would then run at a high privilege level. Access controls on the Registry is thus an essential part of Windows security.

NOTE

You rarely should have to modify Registry security settings, but it does happen. The usual case is that an incorrectly designed program places information in HKEY_LOCAL_MACHINE\Software that is intended to be shared and modified by all users running the program. Because Windows does not permit standard users to modify any keys in HKEY_LOCAL_MACHINE\Software by default, the program might malfunction. Modifying permissions so that standard users can edit the shared key is sometimes necessary to fix the problem. Microsoft also sometimes recommends modifying Registry security in one of their all-too-frequent emergency security bulletins.

If you absolutely must change permissions or auditing controls, locate the desired key or value, right-click it, and select Permissions. The Permissions dialog box looks just like the comparable dialog box for files and folders (see Figure 31.9), and lets you set read, write, and modify rights for specific groups and users. You'll find a corresponding set of audit settings.

Figure 31.9 Registry Key Permissions control which users or groups are allowed to see or modify the Registry key and its values.

Needless to say, incorrectly changing Registry key access rights can cause profound problems with Windows, so I encourage you not to make any changes to Registry access settings unless you're explicitly instructed to do so.

In most cases, a software vendor supplies precise instructions for making changes necessary to work around an application problem. Here, I describe a general procedure to make a given key readable and writeable by all users. You might do this to make a key capable of sharing information between users, or to repair an alternate Windows installation, as mentioned in the previous section. To set more generous permissions, follow these steps:

Locate and select the key in the left pane.

Right-click it and select Permissions.

Select the Users entry in the top Group or User Names section. If Users is not listed, click Add, type Users, and press OK.

In the lower section, check Full Control and then Apply. If this is successful, click OK.

If you are unable to make the changes even though you're running the Registry editor as an Administrator, click Advanced and select the Owner tab.

If the Current owner is listed as unknown, select Administrators in the lower list and click OK.

Click OK to close the Advanced Security Settings dialog box, and return to Step 3.

Needless to say, this is a risky procedure because it could result in another user or application being unable to access its own Registry keys. Use this as a procedure of last resort.